One of fundamental causes of cyber attacks and malware infections is vulnerability that exists in software. Attackers performs malicious acts on a computer through attack codes using vulnerability and malware. In order to prevent such attacks beforehand, it is important to take measures to detect and correct a vulnerability before being attacked by attackers and to cause the attackers not to use the vulnerability as footholds of attacks.
Under these circumstances, research is been carried out on a technique of testing software and detecting a vulnerability that exists in the software. One of techniques of detecting a vulnerability that exists in the software is a vulnerability detection technique using a code clone.
The code clone indicates a code that is similar or identical to another in software. The code clone is caused by an act of copying and pasting a source code of another program having similar functions in order to realize a program having a specific function during development of software by software developers. Here, when a vulnerability is detected in a source code of a copy source, it is necessary not only to correct the source code of the copy source but also to correct a source code of a copy destination. However, even if the vulnerability is detected in the copy source, it is difficult to correct the vulnerability caused by the code clone unless the developer knows all of detected code clones of the vulnerability portion. The vulnerability detection technique using the code clone is a technique of detecting unknown vulnerability in software to be tested by detecting a code clone of a portion in which the vulnerability is detected in the software to be tested.
As a vulnerability detection technique using the code clone, there is a method using a source code of software (see Non Patent Literature 1 and Non Patent Literature 2). In this method, a code clone of a vulnerability portion contained in software to be tested is detected by extracting the source code of the vulnerability portion from the software where vulnerability is detected in the past and by testing the source code of the software to be tested.